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Abstract 

The commitment of bits between two mutually distrustful parties is a powerful 
cryptographic primitive with which many cryptographic objectives can be achieved. It 
is widely believed that unconditionally secure quantum bit commitment is impossible 
due to quantum entanglement cheating, which is codified in a general impossibility 
theorem. Gaps in the proof of this impossibility theorem are found. An unconditionally 
secure bit commitment protocol utilizing anonymous quantum states and the no-clone 
theorem is presented below with a full security proof. 

PACS #: 03.67Dd, 03.65Bz 



NOTE: 

1. This paper is self-contained. The titles of this paper and quant -ph/0006109| [referred 
to as (I) in this note] will be interchanged when a revision of (I) is completed. In (I), 
three QBC protocols (QBC1,2,3) are described that may be unconditionally secure. 

2. Protocol QBCl can indeed be proved secure, as will be shown in the revision of (I). 

3. Protocol QBC2, as presented in (I), has a security gap that can be filled in various 
ways. One way is to use decoy states as described in this paper. 

4. Protocol QBC3 in (I) is insecure, similar to QBCOl also described in (I). The name 
QBC3 is taken over by the protocol of this paper, which may be viewed as a simplifi- 
cation of QBC2. 

5. In the forthcoming revision of (I) and in this paper, the places where the impossibility 
proof fails in each of the protocols will be precisely pinpointed. 
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Quantum cryptography , the study of information security systems involving quantum 
effects, has recently been associated almost exclusively with the cryptographic objective of 
key distribution. This is due primarily to the nearly universal acceptance of the general 
impossibility of secure quantum bit commitment (QBC), taken to be a consequence of the 
Einstein-Podolsky-Rosen (EPR) type entanglement cheating which rules out QBC and other 
quantum protocols that have been proposed for various other cryptographic objectives P|. 
In a bit commitment scheme, one party, Adam, provides another party. Babe, with a piece 
of evidence that he has chosen a bit b (0 or 1) which is committed to her. Later, Adam 
would "open" the commitment: revealing the bit b to Babe and convincing her that it is 
indeed the committed bit with the evidence in her possession. The usual concrete example 
is for Adam to write down the bit on a piece of paper which is then locked in a safe to be 
given to Babe, while keeping for himself the safe key that can be presented later to open the 
commitment. The evidence should be binding, i.e., Adam should not be able to change it, 
and hence the bit, after it is given to Babe. It should also be concealing, i.e.. Babe should 
not be able to tell from it what the bit b is. Otherwise, either Adam or Babe would be able 
to cheat successfully. 

In standard cryptography, secure bit commitment is to be achieved either through a 
trusted third party or by invoking an unproved assumption on the complexity of certain 
computational problem. By utilizing quantum effects, various QBC schemes not involving a 
third party have been proposed that were supposed to be unconditionally secure, in the sense 
that neither Adam nor Babe can cheat with any significant probability of success as a matter 
of physical laws. In 1995-1997, a general proof on the impossibility of unconditionally secure 
QBC and the insecurity of previously proposed protocols were described 01-0. Henceforth, 
it has been accepted that secure QBC and related objectives are impossible as a matter of 
principle 

Since there is no known characterization of all possible QBC protocols (or indeed all pos- 
sible cryptographic protocols of any kind) with corresponding performance characterization, 
logically there can really be no general impossibility proof even if it were indeed impossible 
to have a secure QBC protocol. In this paper, a QBC scheme utilizing anonymous states 
and decoy states will be presented with an unconditional security proof. The basic reason 
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for its success is that the flow of classical information between the two parties is not prop- 
erly accounted for in the impossibility proof. The results are developed within nonrelativistic 
quantum mechanics, unrelated to relativistic protocols The QBC framework is as follows. 

When Adam picks b = to commit to Babe, he sends her a state G Ti^ with 
probability pi within fixed openly known sets and {pi} for i G {1, ■ ■ ■ , M}. When he 

picks b = 1, he sends G Ti^ from another fixed openly known set {10^)} with probabilities 
{p'i}- The and {0^)} are so chosen that they are concealing as evidence, i.e.. Babe 

cannot reliably discriminate between them in optimum binary quantum hypothesis testing 
10| . They would also be binding if Adam is honest and sends them as they are, which 



he could not change after Babe receives them. In that case, when Adam reveals the bit by 
telling exactly which state \(j)i) or he sent. Babe can measure the corresponding projector 
to verify the bit. In general. Babe can always guess the bit with a probability of success 
= |, while Adam should not be able to change a committed bit at all. However, it is 
meaningful and common to grant unconditional security when the best Babe can achieve 
is arbitrarily close to 1/2 and Adam's best probability of successfully changing a committed 
bit P^ is arbitrarily close to zero |Q even when both parties have perfect technology and 
unlimited resources including computational power. 

The impossibility proof gives the following general EPR cheat that Adam can launch. 
Instead of sending \(f)i) or 10-), Adam can generate |$o) oi' I'^'i) depending on b = or 1, 

i i 

with {|ei)}, {\e[)} complete orthonormal in Ti"^, and sends Babe Ti^ while keeping Ti^ 
himself. He can switch between |<l>o) and by operation on Ti"^ alone, and thus alter 
the evidence to suit his choice of b before opening the commitment. In the case = 
trA\^o){^o\ = Pi = ^'"aI'^'i) the switching operation is to be obtained by using the so- 
called "Schmidt decomposition," the expansion of |$o) and I'I'i) in terms of the eigenstates 
|0fc) of Pq = pf and the eigenstates \ek) and \e'f^) of pg and p^. 



\^o) = j:Knek)\<l^k), =E^^' 14)10.) (2) 

k k 

By applying a unitary [/^ that brings {|efc)} to {|e^)}, Adam can select between |$o) or 



|$i) any time before he opens the commitment but after he supposedly commits. When 
and pf are not equal but close, it was shown that one may transform |$o) by an to a 
|$o) with |($i|$o)| as close to 1 as is close to pf according to the fidelity F chosen, and 
thus the state |$o) would serve as the effective EPR cheat. This f/^ is determined from 
knowledge of Pi,p[,(f)i, and ((>[ [|rT[] . 

Using the anonymous quantum state technique |jl2|, the bit commitment may proceed as 



follows. Babe transmits to Adam a state {ip) only known to herself. Adam sends her back a 
committed bit b via modulating {tp) by openly known unitary operators f/b- Thus, the states 
and 10^) in (1) are not known to Adam, and the corresponding cheating f/^ cannot be 
found in the case Pq is close, but not identical to, pf [l^. How is the impossibility proof 



supposed to work in this case? It appears from 0], and especially 0, that such classical 
randomness introduced in the protocol is to be turned into quantum determinateness via 
quantum entanglement purification of a mixed quantum state. Such a prescription fails to 
preserve the protocol for several reasons [jl3| , one of which is exploited in the protocol QBC3 
to be described in this paper. Generally, the impossibility proof appears to suffer from 
the glaring and severe scope problem — why are all possible QBC protocols covered by its 
transparently very specific formulation? For example, why are p^ and pf necessarily the 
marginal states obtained by tracing over the states generated by Adam as in (1)? Protocol 
QBC3 shows clearly that this is not the case. A precise specification of QBC3 with a full 
security proof will be given after the following description of how the protocol works. 

Let the state sent by Babe be an arbitrary state of a qubit, a two-dimensional quantum 
state space. Thus it is described by a three-dimensional unit vector on the Bloch-Poincare 
sphere [0]. Let Uq = I and Ui = R{6,C), a rotation by an angle 6 on some great circle 
C on the sphere. To fix ideas, we may let = tt, so that Uq\iP) and Ui\ip) are orthogonal 
when lip) is on C, but this choice is not mandatory. It is clear that Adam cannot cheat 
in this case, since there is only one possible state for each bit value, and so no possibility 
for entanglement — assuming, as in the impossibility proof, that he is going to maintain a 
perfect opening for b = 0, so that entanglement cheating is to be used for opening b = 1. 
The general case will be dealt with later. On the other hand. Babe can cheat perfectly by 
measuring the basis {{ip) , R{tt , C)\iIj)} with \ip) on C. If the two states Uo\tp) and Ui\tp) are 



chosen to be close to make — 1/2 small, is close to one by simply declaring b = 1 on 
the committed Uq\iI)). Thus, we maintain the above and defeat Babe's cheating by the 
use of decoy states. Instead of just one qubit t/b|V'), Adam can send back to Babe a sequence 
of n qubit s 

. . . . . . \^n)n, (3) 

each named by its position in the sequence — e.g., state i describes the qubit occupying the 
nonoverlapping zth time interval. In (^, one of the {tpi) is randomly chosen to be f/bl"^); the 
others are independently and randomly chosen to be arbitrary qubit states. (The orientation 
of each Bloch sphere for each qubit is, as usual, assumed known to both parties). Adam 
opens by telling Babe which {ipi) is t/b|^) and what b is. 

Since Adam still cannot cheat via entanglement — he needs to identify the exact qubit 
(indeed local state invariance |jl3| would be violated if he could cheat via entanglement) — 
it is clear that he can only cheat with a fixed (not arbitrarily small) probability; for lip) 
on C it is P^ = 1/2, corresponding to the probability that a randomly chosen state on C 
could be accepted as a fixed given state on C. This cheating probability 1/2 is obtained 
by announcing another lipi) ^ Uolip) to be Uilip). With perfect opening on b = 0, the 



no-clone theorem [^, |T6| prevents Adam from doing any better; it makes the use of decoy 
states secure and demonstrates the quantum nature of the protocol. Note that the use of 
anonymous states from Babe is essential for preventing Adam's cheating. If the condition of 
perfect opening on b = is relaxed, Adam can employ an optimal one-to-two doner on {ip), 
apply Uq and Ui to them, and open accordingly. The optimal P^ in this case is again some 
fixed number p, not arbitrarily close to one. On the other hand. Babe's cheating probability 
can be made arbitrarily small by having n large. This is intuitively obvious because, in order 
to cheat with P^ > 1/2, Babe needs to either guess correctly the ith position that carries 
Uh\ip) or to take a majority vote from measurement results among the n qubits with only 
the advantage of one qubit in her favor. It turns out that this second strategy is optimum 
for her, but evidently it still performs poorly. Her entanglement would not help because she 
is trying to decide, rather than to change, what she has sent. Indeed, the following proof 
shows that even if she adjoins her entangled qubit positions correctly, the entanglement does 
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not improve . Thus we now have a situation directly contradicting the strong claim of 
the impossibility proof, which goes beyond the mere impossibility of unconditional security 
by asserting that whenever P^^ — 1/2 is arbitrarily small, P^ is arbitrarily close to one. 

At this point, it is appropriate to examine why the impossibility proof fails to work in 
this basically very simple protocol. One way to look at it, as indicated above, is that and 
pf are not the marginal states obtained by tracing over |ej) and |e^) in |$o) and due to 
the introduction of additional qubit position randomness. As an alternative way to discern 
this failure of the impossibility proof, one may understand the impossibility proof as first 
granting the condition is close to pf and then purporting to show that P^ is close to 1 
as a consequence, with the change of classical randomness into quantum determinateness. 
In QBC3, this would entail that Babe would generate an entangled state Si V^|V'j)-B|/j)c 
with openly known Aj, and send Ti^ to Adam, while keeping THP to herself. (Whether 
i is from a continuum or a finite set is not important here). At the end of the commitment 
phase she would measure the orthogonal basis {]/«)}. An error of the impossibility proof 
can now be seen. For her verification in QBC3, Babe only accepts one state the state 
finally sent, and thus is using her measurement result, while the measurement result for such 
classical randomness is implicitly assumed not to be used in the impossibility proof, which 
in fact does not carry any description of the utilization of such measurement results. It is 
precisely such total lack of any role for classical information flow and utilization between the 
two parties that makes the impossibility proof severely limited in scope, and incorrect as a 
general proof. This problem also manifests itself in opening other gaps in the impossibility 
proof, see |jl3| for further discussion. 



While the above development shows how and why the impossibility proof breaks down, it 
does not yet show that unconditionally secure quantum bit commitment is possible because 
P^ is not arbitrarily small. However, it can be made so in a sequence rather than a single 
qubit. Let Babe send Adam a sequence of m qubits 

|V^i)i ... IV^^-), ... I^'")^, (4) 

each randomly and independently chosen from C and named by its temporal position j. 
Depending on whether b = or b = 1, Adam applies Uq or Ui to each of these m qubits, 

6 



randomly place each IV'"') j in a sequence of n qubit states each newly named by its 
temporal position i in the n-sequence when sent back to Babe for commitment, with the 
other n — m being independently and randomly chosen arbitrary qubit states. Thus, each of 
the {n)m = n\/{n — m) \ ordered m-qubit positions in the n sequence has the same probability 
of being chosen to accommodate the modulated m qubit states Adam opens by 
telling Babe the bit value and which \ipi)i is Uh\4'^)j, for all j. It is clear that Adam's 
is changed from the single-qubit value p to p™, while ~ 1/2 can still be made arbitrarily 
small when n is sufficiently large. Again, Adam has no entanglement attack, and Babe's 
entanglement serves no useful purpose. A precise proof follows. 

PROTOCOL QBC3. 

(i) Babe sends Adam a sequence of states (|), each independently and randomly chosen 
from a fixed great circle C on the Bloch sphere of each of the m qubits; 

(ii) Adam modulates each of these states either by Uq given by the identity transformation 
/ or by Ui given by the rotation by vr radians on C, according to b = or b = 1. He 
then independently and randomly places them among n qubits positions of and 
picks arbitrary states on C for the other n — m qubits, sending the n qubits to Babe 
as commitment; 

(iii) Adam opens by revealing which position each U\j\ip^)j from (|^) takes in the ?7,-sequence 
@, and the bit value. Babe verifies by measuring the corresponding projections. 

To see that can be made arbitrarily small, we have already showed that Adam has no 
entanglement cheating since he has to identify each individual qubit and there is only one 
states associated with each bit value for each qubit. Optimal one-to-two doner for each qubit 
from (1) can be employed, with an appropriate criterion given by the average over individual 
qubit inner products that yields p described above. While there are many results in the 



literature on approximate cloning [|T7[, the most general one appropriate to our criterion 
p does not seem to have been worked out. Nevertheless, p is some fixed number, so that 
P^ = can be made arbitrarily small in an m-sequence. 



To show that - 1 /2 can also be made arbitrarily small, first consider the m = 1 case 
with no entanglement to illustrate the main idea. In this case, Babe's density operators are, 
for b = 0, 1, 

=^E^®---®^b®...®^, (5) 

i 

where cTb, occurring in each of the n positions with equal probability, is the qubit state U^aUl 



modulated by Adam with a = \ip){ij\ if Babe sends a pure state. Since |10, 18 



Pc'~l = l\\p^-pfh, (6) 

where || ■ ||i is the trace norm |T^, |I8|, and Pq — pf from (^) is diagonal in the product basis 
that diagonalizes ctq — ai on each qubit, one finds straightforwardly from (|) that, assuming 
n = 2/ + 1, 

where A+ < 1 is the positive eigenvalue of ctq — o"i. The optimal probability in (|^) can be 
obtained by measuring in the above product basis and setting b = or 1 according to a 
majority vote on the positive and negative ouctomes (corresponding to the eigenvectors |A+) 
and |A_)). Since also implies 

- - > 



2 M' ' ' 

the optimal strategy is better than guessing at the qubit sent, which yields + 

Intuitively, because Babe does not know the positions of the qubits she sent, in the 
general m case with entanglement her optimal strategy for P^ is to send all the of 
(^) in the same uniform state {ip) without entanglement, measure the diagonal basis of 
Uo\4'){iP\Uq — Uilip) {"iplUi for each qubit from (^), and take a majority vote. For n = 
m + 2/' = 2/ + 1, the resulting 

- i = ^ (n-m\ _J_ /n-m\ 
2 2^^-"^+! \ I' J 2" V / 

is bounded above by (m + 1)/ {2\Gd') that goes to zero for large I' = [n — m)/2. To handle 
her possible entanglement on (^), it is simpler to proceed as follows instead of using (^) 
directly. 
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To use her entanglement, Babe needs to pick m out of n qubit positions, to which she 
would adjoin her entangled qubits for measurement. For each choice, the probability that 
none of these m positions would overlap with any of the qubits she sent in the n-sequence 

f n~-vn\ 

(0) is given by the hypergeometric distribution (Z\ which is arbitrarily close to 1 for m/n 

\m) 

sufficiently small. In this case, her part of the entangled state drops out and the value 
\\Pq ^ pf 111 is given arbitrarily closely, explicitly proved by applying the triangle inequality 
for the trace norm and noting that ||po ~ Pi 111 ^ 2 for any two density operators, through 
the following with no entanglement: 

Pb = T4-E^®---®'^-b®...®^, (10) 

where J is the set of {n)^ m-positions out of n, and a^h denotes the joint m-qubit state for 
any of the jth m-position |T^|. Since any qubit measurement statistics can be obtained by a 



product basis and joint state across m qubits, it follows that the optimal from ([10|) can 
be obtained from a classical joint distribution on individual qubit variable measurements. 
The resulting optimal quantum performance cannot be better than that of optimizing a 
classical joint distribution or the corresponding Kolmogorov distance p!8| , because there 



is no compatible basis issue in the classical case. A direct term-by-term bounding of the 
Kolmogorov distance shows that the optimal classical solution indeed corresponds to the 
independent uniform-state qubits one indicated above, which is expected if only because 
Babe cannot effectively use any correlation between any of the m qubits without knowing 
their positions. Note that Babe is actually not advised to send uniform qubit states to Adam, 
who can then clone much better in an m-to-2m approximate doner. 

Protocol QBC3 achieves unconditional security with the use of anonymous states to 



thwart Adam's cheating and decoy states to thwart Babe's cheating. In |T3[, it will be shown 
that anonymous states alone without decoy states could lead to unconditional security in a 
more complicated protocol QBCl, in which Babe's cheating is thwarted via bit hashing. 
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